tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

bpf, selftests: Add verifier test case for imm=0,umin=0,umax=1 scalar

Add a test case to trigger the constant scalar issue which leaves the
register in scalar(imm=0,umin=0,umax=1,var_off=(0x0; 0x0)) state. Make
use of dead code elimination, so that we can see the verifier bailing
out on unfixed kernels. For the condition, we use jle given it checks
on umax bound.

Before:

# ./test_verifier 743
#743/p jump & dead code elimination FAIL
Failed to load prog 'Permission denied'!
R4 !read_ok
verification time 11 usec
stack depth 0
processed 13 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
Summary: 0 PASSED, 0 SKIPPED, 1 FAILED

After:

# ./test_verifier 743
#743/p jump & dead code elimination OK
Summary: 1 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20220701124727.11153-3-daniel@iogearbox.net

authored by

Daniel Borkmann and committed by
Andrii Nakryiko 73c4936f 3844d153

+22
+22
tools/testing/selftests/bpf/verifier/jump.c
··· 373 373 .result = ACCEPT, 374 374 .retval = 3, 375 375 }, 376 + { 377 + "jump & dead code elimination", 378 + .insns = { 379 + BPF_MOV64_IMM(BPF_REG_0, 1), 380 + BPF_MOV64_IMM(BPF_REG_3, 0), 381 + BPF_ALU64_IMM(BPF_NEG, BPF_REG_3, 0), 382 + BPF_ALU64_IMM(BPF_NEG, BPF_REG_3, 0), 383 + BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 32767), 384 + BPF_JMP_IMM(BPF_JSGE, BPF_REG_3, 0, 1), 385 + BPF_EXIT_INSN(), 386 + BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0x8000, 1), 387 + BPF_EXIT_INSN(), 388 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -32767), 389 + BPF_MOV64_IMM(BPF_REG_0, 2), 390 + BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 0, 1), 391 + BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 392 + BPF_EXIT_INSN(), 393 + }, 394 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 395 + .result = ACCEPT, 396 + .retval = 2, 397 + },